Telecom operators such as Bharti Airtel, Vodafone Idea and Reliance Jio are likely to seek an 18-month timeline to comply with the provisions of the Digital Personal Data Protection (DPDP) Act after the notification of its rules, sources said.
The operators are expected to include this request in their comments to the government on the draft rules for implementing the Act, which were released last week.
The extended timeline is being sought to allow telecom operators to modify their customer application forms (CAFs) and adapt their existing technological frameworks to manage user consent regarding data usage and processing. Given the massive volumes of personal data handled by telecom operators, they are expected to be classified as significant data fiduciaries under the DPDP Act.
Currently, telcos utilise personal data for sending marketing messages, making sales pitches, and generating app-based offers. They also share data with third parties in bundled services, such as offering OTT subscriptions or digital payment add-ons. Under the new Act, such practices will require explicit user consent and the implementation of new technical mechanisms—necessitating significant operational changes.
In a bid to ensure verifiable parental consent to manage data of minors, the telecom operators are expected to make changes to their CAFs, which would require parents to declare that SIM card is being taken for a child.
“Obtaining explicit consent for data collection and third-party sharing, especially in bundled services like OTT subscriptions and digital payments, requires major operational changes,” said Jidesh Kumar, managing partner at King Stubb & Kasiva, Advocates and Attorneys. Kumar also highlighted the need for enhanced security protocols, given that telcos handle sensitive data such as Aadhaar-based eKYC and biometrics.
Telecom operators will also have to ensure mechanisms to manage data principal rights—such as access, correction, and deletion of data—which will be particularly challenging given their large customer base. Non-compliance could result in penalties of up to ₹250 crore, imposed by the Data Protection Board.
An executive at a telecom firm said they are not much concerned about verifiable parental consent as the SIM cards are taken by people above 18. Besides, if a minor would use SIM cards on parents’ ID, then it will automatically be from the consent of parents. In the CAF, a column or two can be added asking people if they are taking sim cards for themselves or for minors.
Sucharita Basu, managing partner at AQUILAW, said, “Data localisation norms may apply to telcos, likely impacting international calling and messaging services. If the draft rules are finalised in their current form, the impact on international roaming services will need to be assessed.”
The draft rules prohibit the transfer of specific personal or traffic data outside India if identified by the government based on recommendations from a newly constituted committee.
The government said the committee framework, emphasising its necessity to address sector-specific data localisation needs, which are essential for citizens’ safety.
“Telecom operators should conduct a thorough assessment of their data processing activities to ensure compliance with the DPDP Act. This includes reviewing consent mechanisms, data security measures, and procedures for handling data principal rights,” said Rahul Sundaram, Partner, IndiaLaw LLP.
Telecom companies would be required to implement robust security protocols to prevent unauthorised access or misuse of personal data. In the event of a data breach, they are required to notify both the Data Protection Board of India and the affected users, following guidelines.
